Fake Google Update Delivering HavanaCrypt RansomwareMalware Uses a Variety of Methods to Evade Detection
New ransomware that comes cloaked in the form of a Google application updater may have started maliciously encrypting files before its operators were ready to collect victims' money.
Researchers from TrendMicro say they spotted malware with features meant to defy reverse engineering and speed up file encryption - but for all its sophistication, it fails to drop a ransom note.
The malware, dubbed HavanaCrypt since it encrypts files with a
.Havana file extension, might still be in the development phase, researchers write. "It is important to detect and block it before it evolves further and does even more damage," they warn.
HavanaCrypt masquerades as a Google Software Update application, a program automatically downloaded alongside Google applications such as the Chrome browser or the desktop version of Google Earth. Unusually, HavanaCrypt uses a Microsoft web hosting service IP address as its command-and-control server, likely in a bid to evade detection. It also appropriated encryption modules from open-source password manager KeePass Password Safe.
As it starts execution on a host machine, HavanaCrypt tries to frustrate would-be malware analysts by checking to see if it is being run on a virtual machine and shutting down if it spots telltale signs of a virtualized environment. Analysts routinely conduct dynamic analysis of ransomware - essentially allowing the malware to execute inside the confines of a sandbox.
TrendMicro's analysis comes during an era of growth for ransomware and the criminal gangs behind the malware. Telemetry collected by the Japanese multinational cybersecurity firm shows a more than 60% increase in ransomware-as-a-service and extortion groups during the first quarter of 2022 compared to the same time last year. That jump "inevitably led to more organizations falling prey to ransomware activity."
HavanaCrypt Malware Characteristics
HavanaCrypt is a .NET-compiled application, which is protected by Obfuscar, an open-source obfuscator tool.
Once executed, HavanaCrypt cloaks its activities by telling the Windows ShowWindow function that it doesn't want to be displayed. It then checks the AutoRun registry to see whether the "GoogleUpdate" registry is already present. If not, it continues with the routine.
When executed, HavanaCrypt undertakes a four-stage assessment of whether the infected machine is running in a virtualized environment.
First, it checks for services used by common virtualization applications such as VMWare Tools and vmmouse. Then it checks for unusual files related to virtual machine applications. Thirdly, it checks for file names used by virtual machines for their executables. Finally, it compares the machine's MAC address - the unique number assigned to a network interface controller - and matches the identifier prefixes typically used by virtual machines.
TrendMicro says it got around the antivirtualization features by using tools such as de4dot and DeObfuscar. Even then, analysts had to deactivate the malware's use of the DebuggerStepThrough attribute, which instructs debuggers to step through rather than into the code.
Once it successfully identifies that the victim's machine is not running in a virtual machine, the malware downloads "a file named "2.txt" from a Microsoft web hosting service IP address, and saves it as a batch (.bat) file with a file name containing between 20 and 25 random characters.
"It then proceeds to execute the batch file using cmd.exe with a '/c start' parameter. The batch file contains commands that are used to configure Windows Defender scan preferences to allow any detected threat in the '%Windows%' and '%User%' directories," the researchers say.
At this point, it terminates a slew of processes that might be running on the host machine, including from database-related applications such as Microsoft SQL Server and MySQL. It also shuts down desktop applications, including Microsoft Office.
HavanaCrypt copies itself into the ProgramData and Startup folders as randomized file names with attributes set to "Hidden," making it hard for most uses to see, and to "System File."
Before maliciously encrypting files, HavanaCrypt collects system information, sending back to the C2 server the host's unique identifier as well as the number of processor cores, the motherboard name and manufacturer and the BIOs version.
The encryption routine uses a random key generator apparently taken from the open-source repository of KeePass Password Safe. It encrypts files, appending a
.Havana file name extension while avoiding encrypting files with certain extensions, including files that already have a malicious extension.
Whoever is behind HavanaCrypt sought to ensure the software moves quickly by invoking thread pooling, a software design technique for concurrent execution by the operating system.
There is a high possibility that the ransomware's operators are planning to communicate via the Tor browser, the researchers say, because Tor's directory is among those that it avoids encrypting.